New Zealand’s Privacy Commissioner has found both a major private patient portal vendor and the country’s central public health agency in breach of patient privacy laws, following a December 2025 cyber incident that exposed the sensitive records of nearly 100,000 people.

The Phase 1 inquiry report released this week revealed that 99,416 patients had documents stolen from the "My Health Documents" module of the Manage My Health (MMH) portal. While initial estimates feared up to 126,000 people were impacted, the confirmed figure remains a significant breach of sensitive health data.

The incident has triggered calls for New Zealand to overhaul its privacy laws to mirror aspects of Australia’s regulatory models.

Manage My Health (MMH is a private, commercial third-party platform that acts as a patient portal and allows patients to view records and manage health data linked to their primary care providers.

Health NZ runs New Zealand’s national public health system.
NZ Privacy Commissioner Michael Webster announced he will issue formal compliance notices to both organisations under section 123 of New Zealand’s Privacy Act 2020.

Webster described compliance notices as “the strongest tool I currently have available to me to respond to serious privacy breaches”.

The bulk of the crisis was concentrated regionally, with around 91% of affected patients residing in Northland. This disproportionate impact was due to a unique local arrangement where Health NZ routinely transmitted hospital records directly to patients via the private MMH portal.

The inquiry concluded the breach was a cascading failure rather than a single technical glitch. Key vulnerabilities identified in the report include:

• MFA Left Optional: Multi-factor authentication was available on the MMH platform but was optional for users rather than strictly mandated.
• Inadequate Access Controls: Security controls were insufficiently effective, allowing hackers to use a single stolen patient account to systematically extract documents belonging to thousands of other patients.
• Detection Failures: MMH’s data leakage protection was deficient, and its internal systems failed to detect the hackers. The vendor only learned of the breach when alerted by Health NZ.
• Unaddressed Risks: Earlier security testing had flagged recurring access control and application security risks, but these themes were “not adequately addressed at the time of the breach”.

Health NZ was also heavily criticised for poor vendor governance over what the report termed a “novel and potentially precedent-setting digital project”.

The fallout from the breach has prompted the inquiry to recommend structural and legislative changes that draw heavily on Australian and European frameworks:

The report recommends that the NZ Ministry of Health establish a centralised program to independently verify that health tech vendors meet rigorous security standards. The inquiry explicitly cited Australia’s My Health Records Act registration system as a successful, comparable model for centralised vendor assurance.

“Simply relying on vendor assurances about their security profile is problematic, as this inquiry shows.”

Under current NZ law, principal organisations hold primary liability. The inquiry recommends amending the Privacy Act 2020 to make third-party service providers (like MMH) directly liable for security safeguards when processing data.

The report pointed to Article 32 of Europe’s GDPR and noted that Australia’s ongoing privacy reform programme is currently considering a similar "controller and processor" distinction to close this exact liability gap.

“Third parties are increasingly playing a key role in the sharing, processing and storage of personal data,” Commissioner Webster said. “As such they are a target for malicious actors. It is critical they too are incentivised to put in place safeguards.”

Phase 2 of the inquiry is scheduled to begin shortly, with a final report expected later in 2026. The next phase will turn its focus to patient authorisation protocols, portal data retention limits, breach notification communications, and why the breach had a disproportionate impact on Northland’s Māori population.